---
title: Eclipse Vert.x and Log4j 2 CVE-2021-44228
category: security
authors:
  - name: Julien Viet
    github_id: vietj
summary: >-
  A recent CVE-2021-44228 has been disclosed that affects the Log4j 2 library.
  The Vert.x project can optionally use Log4j but does not ship it and therefore is not affected by this CVE.
---

A recent [CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228) has been disclosed that affects the Log4j 2 library.

The Vert.x project can *optionally* use this library for logging but *does not ship* or *directly depends on* this library and therefore is not affected by this CVE.

In practice, an application using Vert.x might use it but needs to explicitly depend on this library. In such case, the Log4j 2
dependency version *must* be upgraded to 2.15.0 or later.

The Vert.x team will provide this week patch releases that update the optional or test dependencies of Log4j 2:

- Vert.x 4.2.2, which is expected to be delivered soon and contains other bug fixes
- Vert.x 4.1.7 the previous stable branch
- Vert.x 3.9.11 the last stable branch of Vert.x 3, which is supported until end of 2022
